Malaysia Airlines recently disclosed suffering from a nine-year data breach; the breach possibly exposed the personal information of members in its Enrich frequent flyer program.
According to reports, the breach occurred due to a third-party IT service provider.
At this time, it remains unknown how many Enrich users were affected by the breach. In a statement, Malaysia Airlines said: “Malaysia Airlines has no evidence that any personal data has been misused and the incident did not disclose any account passwords. We are nevertheless encouraging Enrich members to change their account passwords as a precautionary measure. The incident did not affect Malaysia Airlines’ own IT infrastructure and systems in any way.”
The information possibly exposed includes member names, contact information, date of birth, gender, frequent flyer number, status. and rewards tier level.
A nine-year data breach certainly merits discussion and best practices. We reach out to several cybersecurity experts for their thoughts on the matter.
Key Lessons from the Malaysia Airlines Nine-Year Data Breach
Demi Ben-Ari is Co-founder and CTO of Panorays.
“The recent data breach at Malaysia Airlines illustrates how customers’ personal data can be compromised through a third-party provider. Unfortunately, this is not the first time an airline has experienced a third-party data breach, and it likely won’t be the last. To prevent such incidents, it’s crucial for every company to perform comprehensive evaluations of their third parties that combine external attack surface assessments, security questionnaires and business context for the most accurate view of vendor cyber risk. In addition, continuous monitoring is absolutely necessary for ongoing visibility, insight and control of third-party security risk.”
Chris Clements is VP of Solutions Architecture at Cerberus Sentinel.
“One of the worst aspects of ‘supply chain’ attack compromises is that it can be even harder to detect than a direct breach of an organization. Now more than ever businesses need to fully vet and actively manage vendors who may be able to access sensitive systems or data. A strong vendor management program can go a long way to preventing exposure by requiring third parties that interact with a business’s data or systems follow information security best practices and can demonstrate due diligence by adhering to well-known security standards such as NIST or ISO and also perform regular security testing to ensure that no mistakes that could lead to exposures have fallen through the cracks.”
Purandar Das is CEO and Co-Founder of Sotero.
“Organizations continue to be impacted by under-protected third-party service providers. While such services are a key part of an organization’s customer services, they pose an increasing risk to the company. This is an area that is being increasingly targeted by hackers. The reason is fairly simple. Service providers are less organized in terms of security.
Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier. On the surface, this data seems less likely to cause damage to the consumer.”
“However, this stolen data forms a part of the consumers’ profile that is created by data stolen from many locations. In totality, this enables the hackers to assemble a strong profile of the consumers and their behavior and could be used to target them for nefarious purposes. The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider. It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did. If the data was useless, the hackers would have moved on. It is time for organizations to take control of their data and its protection even when it is in the hands of service providers.”
Thanks to these cybersecurity experts for their thoughts on the nine-year data breach. For more on third-party security, check out our SIEM Buyer’s Guide.
- The Best Cybersecurity Certification Courses on Udemy to Consider - May 19, 2022
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021